The rising cost of cyber attacks

SINGAPORE - Banks and large retailers will be the key targets of cyber criminals next year.

"The bad guys are going for the 'buffaloes', hacking into large organisations to steal millions of personal details," said Mr Raimund Genes, chief technology officer of security firm Trend Micro.

"Attacking these institutions with millions of customers is worth more than hacking individuals for their personal information," he told The Sunday Times on a recent visit to Singapore.

The mobile phone is another target for cyber criminals next year, he said.

Apple and Windows-based mobile apps, he explained, are generally safe because both Apple and Microsoft have rigorous approval processes to vet apps before they are distributed. But Google apps do not go through this process, he said.

"These apps, as well as premium hotline services like the ones used for sex services, can be used by cyber criminals to drop malicious software into the phones to steal information like contact details or passwords used to access bank accounts."

More worrying for corporations is that smartphones and tablets are also routinely used by consumers to access business data.

After all, this is the era of "BYOD" or "bring your own device" - where corporations let employees use their own devices to access corporate data. So the risk of losing confidential information and trade secrets through mobile phones is very high, SingTel chief executive (group enterprise) Bill Chang told The Sunday Times.

Cyber security incidents are at epic levels this year. Virtually every industry across the world has been hit by some form of cyber threat.

There have been a colossal 42.8 million attacks this year, up 48 per cent from last year, said The Global State of Information Security Survey 2015 report - a joint effort by consulting firm PricewaterhouseCoopers (PwC) and two US-based magazines, CIO and CSO.

Released early this month, the survey - which had 9,700 respondents - found that the global cost of detected cybercrime incidents has exceeded US$23 billion (S$29.3 billion) this year. In reality, the figure is much larger because many organisations have not reported attacks for fear of reputational loss and lawsuits. In some cases, there are also no regulatory demands that cyber breaches be reported.

According to research firm Forrester, corporate espionage costs US companies about US$500 billion yearly. When bad guys steal intellectual property or research and development plans, they sell them to competing corporations which can shave off years of R&D and millions of dollars in costs.

Experts say there is a variety of new threats to contend with now.

For example, organised cyber criminal gangs operate in the shadowy depths of the Internet called the Dark Web.

Designed to be untraceable and inaccessible to regular search engines like Google, the Dark Web operates like the eBay of the underground, said Trend Micro's Mr Genes. This is where criminals buy, sell and trade stolen data, new attack tools and intelligence.

The Dark Web is always looking for a new cash cow, said Mr Genes. A trending cash cow is zero day exploits, which are online vulnerabilities for which there is no software solution.

Then there are APTs, or advanced persistent threats, which are stealthy and continuous computer hacking processes, aimed at specific organisations, nations or businesses, said Mr Dave DeWalt, chief executive of security firm FireEye.

"All organisations must be aware that they are probably already compromised. The APTs can remain undiscovered over a long period of time, during which they can steal information without anyone knowing."

Singapore has not escaped cyber attacks, with government websites having been recently defaced.

Like many other countries, it is quickly stepping up its cyber security resources. The CyberWatch Centre set up in 2007, which monitors critical public sector IT installations round the clock, will be upgraded in January next year to track unauthorised changes to websites and spot malicious files and potential data leaks in networks.

Earlier this month, the Singapore Government also set aside $42 million to fund seven research projects in areas such as digital forensics and mobile and cloud data security.

Another area Singapore is investing in is talent in cyber defence. Tertiary institutions here are adding cyber security modules to their degree and diploma programmes. The Government is also collaborating with multinational corporations like Internet authentication firm RSA and tech giant NEC to train cyber security professionals.

At Singapore's largest telco SingTel, there are fresh investments in an Asia-Pacific Cyber Security Competency Centre (ACE) next year. ACE will work with international research and academic partners on big-data security analytics and predictive security intelligence. It will also develop various threat scenarios and solutions.

Meanwhile, a new "cyber range lab" will be set up to do security resilience testing. This means building on realistic threat simulation with customers to enable competency building.

Last month, the telco also signed a US$50 million deal with FireEye where it will set up a security operations centre here and train about 150 cyber security professionals.

Security companies are also trying to find ways to quickly identify cyber intruders. One way is through predictive security.

FireEye's Mr DeWalt said: "The only way to minimise advanced persistent threats or APTs is to monitor the Internet and telecoms network. We see how people and organisations are doing online. Someone could register a business website but, from our record, he has no business. So that is suspicious and we track to see what he does. He could be organising a Web scam."

Such activities are captured by online sensors that FireEye has installed in its customers' Internet network. Its collaboration with

SingTel will allow it to add more sensors in the telco's extensive network in Australia, South-east Asia, India and Africa. "The data we collect will allow us to stop a cybercrime preferably before it is committed, but if we can do it in minutes, instead of days, it will be a big improvement."

Mr DeWalt believes that FireEye and SingTel can do predictive security in the next couple of years.

Going forward, there will be many cyber security issues for organisations to ponder.

Rogue nation states, hackers and organised crime groups are the villains everybody loves to hate, but Singapore corporations would do well to seriously consider insider threats which are potentially more damaging.

Insider attackers can be disgruntled employees who leak company secrets to competitors. They could also be bribed to sell trade secrets. Departing employees could steal information which they can use in their new roles with competitors.

According to research firm Forrester, 58 per cent of all breaches are the result of internal security incidents. Insiders also include business partners and subcontractors who sometimes enjoy the similar trust and access levels to organisations' networks.

This spells disaster. A cyber assault on American retailer Target which saw it losing 110 million bank card numbers was a result of hackers gaining undetected access to its network with credentials stolen from a business partner who had worked for some Target stores.

Another issue that organisations need to better understand is cyber risk and how to shift their focus from installing security tools to prevent unauthorised intrusions to protecting their crown jewels.

Called pre-breach planning by the cyber security industry, organisations must identify their "jewels", where they are stored, how they are protected and who are the potential thieves.

This exercise will raise awareness of cyber security among the ranks of every senior management team and board of directors. It is high time that they recognise and act on these very serious threats, for the good of ordinary consumers they serve.

chngkeg@sph.com.sg

This article was first published on October 26, 2014.
Get a copy of The Straits Times or go to straitstimes.com for more stories.